Windows Server 2012 Release Preview: Compelling new features

In the first week of June, Microsoft released a near-final version of Windows Server 2012 alongside its client
brother, Windows 8 Release Preview. In the days since that release, I've been spending time thoroughly examining
some of the new features in the 2012 edition. Here's a preview of a few that I find particularly compelling.

These are in addition to those I've already described in my earlier review of the Windows Server 2012 beta
version -- multimachine management, numerous Hyper-V improvements, improved security and others. And it's worth noting, too, that the UI
is still set to change by the time the software hits the "release to manufacturing" (RTM) stage, so I'll reserve my
final judgment until then. At this point, I still believe that Metro is the wrong way to go for a server operating
system aimed at professional systems administrators.

Dynamic access control

In Windows Server 2012, dynamic access control (DAC) is a suite of features and utilities that work together to
augment the file system security that has been a part of Windows since the NT days. It joins classification, policy
enforcement, auditing and encryption as another way to protect all sorts of data from unauthorized access and
tampering.

Let's take a look at how this works, starting with a couple of different types of policies.

First are the central access policies, which make up a layer of security that complements the existing access
control list (ACL) entries that we've come to know and love about the NT File System. These policies ride on top of
ACLs and add an additional layer of authorization to file and object access. They also pertain to all servers in an
organization, so they're applied very broadly and affect the entire business.

They also are more granular than specific file or folder ACLs and better translate to some of the business
requirements you're likely to face. These policies take into account the identity of the user, what type of device
the person is using for the access attempt and what kind of data is being accessed. It's more than just the
yes-or-no choice that ACLs force you to make.

This is one of the spots in Active Directory Domain Services where you can set up dynamic access control
policies.

For example, businesses could create policies that restrict access to a certain file or folder based on the
nature of the information, like data subject to HIPAA in the United States. This assists in overall organizational
compliance with government and industry regulations.

Additionally, you can create policies to restrict access based on the current department a user is assigned to
(as opposed to explicit security groups that would have to be updated regularly). Finally, you could create a
scenario where certain sectors of one organization could access only information pertaining to their work, a
situation that is common in financial institutions.

Central access policies work with the strategic placement of central audit policies, which basically back up the
access policies and prove an organization is in compliance. When you take any government or industry compliance
mandate and enter the conditions of that mandate into an audit policy, you can then retrieve instant reports to
prove that you're applying and maintaining a policy that accrues to the spirit of the regulation.

You can also see instances where access was granted inappropriately and, from there, fine-tune your policy
assignments to ensure those holes don't happen again. You can also spot scenarios where users or groups attempt to
access information (and are unsuccessful at it) -- which is helpful from a security standpoint, since it shows
where users need further education or consequences.

Access and audit policies work with the file classification infrastructure, which was introduced in Windows
Server 2008 R2 and enhanced in this latest build. By classifying files, you apply tags that indicate various
properties about them. The tags could be for the type of data, the type of regulation applying to the data, the
time limit the data could be valid for, the expiration date of any confidentiality restrictions on the data and so
on.

The central access and audit policies work with these tags to determine, along with the file system ACLs, what
access can be granted to whom and on what conditions. For example, if you classify a certain folder as
HIPAA-sensitive because it contains patient medical data, then the central access policy would glom on to that tag
and activate when users attempt to access HIPAA information that the policy says should be restricted.

The audit policy would also key in to this activity and record the attempts, either successful or unsuccessful,
for further monitoring. In addition, Windows Server 2012 can now encrypt files automatically based on their
classification, so that all files with the HIPAA tag get encrypted automatically as soon as the tag is applied.
That encryption is maintained and can also be audited for compliance purposes.

This suite of facilities really enhances the way you can control access to information. It's no longer about
taking files or folders and making decisions about "yes, these people can" and "no, these people can't."

It's about abstracting away the individual data and making larger assignments about the types of data that live
on your system, and the types of users that should and should not have access to it. It's a new way of thinking
that very much complements the strong abilities of the file system to secure data.

To take full advantage of these additions, you'll need to make minimal schema additions to Active Directory. You
can begin using the lion's share of the feature set of DAC with just a Windows Server 2012 file server and a domain
controller -- it's not a wholesale upgrade. It's a helpful addition to Windows Server 2012.

Virtual Desktop Infrastructure improvements

RemoteFX technology, which has been part of Windows Server for some time, brings local-quality graphics to
hosted sessions over the Remote Desktop Protocol (RDP).

One of the big wins in Windows Server 2012 is the elimination of the requirement for physical GPU cards and
video cards in servers to take advantage of RemoteFX. This was expensive and tough to scale; you essentially needed
a dedicated GPU in a server in a data center for
every graphics-oriented user you had on a virtual desktop of a hosted Remote Desktop session.

Now, virtualized GPUs that take on much of this work are available, and standard server boxes with no special
video equipment can host high-performance sessions.

Indeed, in side-by-side tests I witnessed at the recent TechEd conference, a Windows 8 RDP session hosted on a
Windows Server 2012 unit with no special hardware worked dramatically better than a Windows Server 2008 R2-based
session with a physical GPU using RemoteFX. The graphics were smooth, the latency was nearly nonexistent, and there
were no gaps in audio playback. 3D rendering also worked smoothly with keyboard and mouse and touch interaction. A
lot of work was done to the RDP protocol itself in Windows Server 2012 to improve remote multitouch events with as
little overhead and as much responsiveness as possible. The payoff shows.

The operating system creates a separate virtual hard disk (VHD) file that stores user personalization
information. When users log in to a pooled desktop, Windows will stream this personal VHD to create a personalized
experience.

In addition, USB support over an RDP session has been further enhanced such that if a device works locally on
the Windows client, it will work over an RDP session with no special drivers required. Previously, only a small
subset of Windows-compatible USB devices could be "sent" over an RDP connection, making the VDI deployment choice
limited for shops where users have a lot of local peripherals. Smart card readers, webcams, games and so on work
seamlessly as long as a driver is available to the local client -- the remote process is all taken care of by
RDP.

There is also a new "Fair Share" technology that manages the allocation of CPU, memory, disk space and network
bandwidth among all running sessions on a host. It prevents one user from hogging resources and limits users to a
certain percentage of available resources.

You can configure caps on each of the items globally and then those percentages are applied evenly across all
running settings. You can't specify that one user can have twice as much network space as another by default, for
example, which is why the technology is known as Fair Share. But it's a good way to ensure one user doesn't degrade
the VDI experience for everyone by streaming a high-definition movie.

In addition, a big disadvantage of the pooled desktops has been removed. In the past, when users were assigned a
pooled virtual machine, they had a degraded experience. Whenever they made changes to preferences, settings or
saved data locally to the pooled machine, those settings were destroyed upon logout since the pooled image remained
static. (This didn't apply to personal virtual desktops that were preserved individually for each user.)

In Windows Server 2012, the operating system will now create a separate virtual hard disk (VHD) file that stores
user personalization information. When users log in to a pooled desktop, Windows will stream this personal VHD
alongside the pooled image VHD to create a personalized experience. It also preserves any changes to the user disk
and saves it so that the next time a user logs in, those changes are streamed back in.

Now you get the benefit of patching and maintaining a single image while allowing users to customize their work
environment as if it were their own.

Finally, the storage options for VDI-based
deployments have improved as well. For example, you can store and operate VHDs over Server Message Block file
shares, storage area networks (SANs) or local storage directly attached to a server. Collections of pooled virtual
desktops can be configured with tiers -- in other words, infrequently used machines can be stored on cheap storage
whereas more frequently used VHDs and sessions can be put on faster but more expensive storage. And VDI works well
with clustering and failover options present in Windows Server 2012 to better ensure high availability.

Networking improvements

The big benefit for management gurus everywhere is the further enhancements to DirectAccess. I've written
about DirectAccess before for Computerworld, and I'm a big fan of the technology. It allows VPN-like secure
tunneling from any endpoint back to the corporate mother ship without the overhead and performance hit of a true
VPN.

There is also no management agent on the client; when the technology is configured correctly, it just works.
Users have seamless connectivity to file shares, on-premises equipment and other resources just as if they were on
the corporate campus.

In just seven clicks, an administrator can run through this wizard and have a working DirectAccess setup
immediately.

In addition, group policy objects get applied and administrators can manage machines wherever they are, not just
when employees come to headquarters or when the machines connect up to the VPN.

The downside of using DirectAccess up to now has been the heavy requirements in getting the technology set up --
it used to be dependent on IPv6 or somewhat kludgy IPv6-to-IPv4 conversion engines -- and configuring the server
endpoints that reside in your DMZ or on the edge of your network. It also didn't support being virtualized.

These requirements have all been removed in Windows Server 2012. DirectAccess works transparently with IPv4, so
no strange Teredo or conversion tunnels are
required. In addition, you can virtualize the edge machine running the DirectAccess "interceptor" without any
problems. I've only tried it on Hyper-V, but I assume VMware will be supported once the product has officially been
released.

And finally, a new Express Remote Access Wizard included in the release candidate build removes nearly all of
the complexity from setting up DirectAccess. In just seven clicks, an administrator can run through a wizard and
have a working DirectAccess setup immediately.

DirectAccess is a hugely powerful technology that has big implications for companies with largely remote
workforces as well as organizations with traveling sales workers and other business users. Now you can touch them,
and they can touch you, wherever they are with Internet connectivity. It's a huge win for IT and I was pleased to
see these refinements and the removal of these large hurdles to adoption.

The last word

I've been pessimistic about Windows 8 as a client. I
simply don't understand some of the changes that have been made and don't fully buy into the value proposition on
the Metro interface and touch. On the server end, though, I am a full 180 degrees opposite: I love the things that
are happening in Windows Server 2012.

From much easier deployment for DirectAccess to a full-scale file classification and dynamic access control
system, to better user experiences for companies deploying a virtual desktop infrastructure, the improvements in
Windows Server 2012's release candidate build are palpable and compelling. Chances are, there's something in there
for you.

Jonathan Hassell runs 82 Ventures LLC, a consulting firm based out of Charlotte, N.C. He's also an editor with
Apress Media LLC. Reach him at jhassell@gmail.com.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.